[H-GEN] An iptables question ...

Thu Sep 19 04:37:08 EDT 2002

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Thu Sep 19 2002 at 17:13, Ewan Edwards wrote:

> All the doco I've read about iptables seems to concentrate on constructing
> rules and how the rules relate to each other.  What it hasn't told me yet, is
> how I can implement these rules.  Do I use these rules with some utility that
> constructs a script thats run at boot time?  Do these rules get put into a
> config file somewhere that kernel refers to at boot time?  Is there some
> other daemon that needs to find these rules somewhere?

Construction of a comprehensive firewall is a bit of an art, but not
to hard to do once you have a handle on how it all works and what is
possible.  There's a fair bit of documentation available on the web
including some howtos, I would suggest a google search.  Building a
basic firewall is quite easy.

As for "preserving state", redhat (at least) has this functionality
in the /etc/rc.d/init.d/iptables (or /etc/rc.d/init.d/ipchains)
script.

Build your firewall by hand or script or with whatever tools you may
like, checking it with "iptables -nvL" (or iptables -t nat -nvL or
whatever).  But the problem is that once you have it set up, then
you want to preserve it through reboots - which is a bit of a
problem.  However, if you simply do:

	service iptables save

then the current firewall rules will be dumped into
/etc/sysconfig/iptables (or ipchains if you use that).

Turn on that service at bootup (eg, "chkconfig iptables on"), and
your firewall will come up automatically exactly how you last saved
it.  (It uses /sbin/iptables-save and /sbin/iptables-restore to do
all the magic).  Very useful.

> I just don't know how or where the kernel or "iptables utility" becomes aware
> of the rules.  I don't even know if iptables is a separate program, or a
> daemon, or a part of the kernel.

/sbin/iptables an program that comes with the iptables package
(sic:)  It provides the interface for configuring and viewing the
iptables chains and rules.

The 2.4.x kernels are very cool in that they provide backward
compatability with ipchains (2.2.x kernels) and ipfwadm (2.0.x).  To
use ipchains on a 2.4.x kernel, you need to load the kernel driver
for it (modprobe ipchains).  Same for ipfwadm and iptables, you need
to load the appropriate kernel driver (and only one can be loaded at
any one time).

> Regards,
> Ewan

Hope this helps to de-mystify at last some of the process.

I'd like to go into long raves about how to build good firewalls,
but this is really a subject appropriate to a meeting talk. :)

Cheers
Tony

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/